git.proxmox.com Git - mirror_edk2.git/commit - OvmfPkg/IntelTdx/IntelTdxX64.dsc

author	Min M Xu <min.m.xu@intel.com>
	Mon, 16 Jan 2023 23:31:57 +0000 (07:31 +0800)
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
	Wed, 18 Jan 2023 03:04:27 +0000 (03:04 +0000)
commit	c3f4f5a949a9e94bafe081c24dbd4110834b11ea
tree	0057b57f71f677bdd47123b129f65a9843e967a3	tree
parent	066d3c8004e2004c9699ec4c5d6f4fb67ab7d231	commit \| diff

OvmfPkg/IntelTdx: Enable separate-fv in IntelTdx/IntelTdxX64.fdf

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=4152

In current DXE FV there are 100+ drivers. Some of the drivers are not
used in Td guest. (Such as USB support drivers, network related drivers,
etc).

From the security perspective if a driver is not used, we'd should prevent
it from being loaded / started. There are 2 benefits:
1. Reduce the attack surface
2. Improve the boot performance

So we separate DXEFV into 2 FVs: DXEFV and NCCFV. All the drivers which
are not needed by a Confidential Computing guest are moved from DXEFV
to NCCFV.

The following patch will find NCCFV for non-cc guest and build FVHob
so that NCCFV drivers can be loaded / started in DXE phase.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Erdem Aktas <erdemaktas@google.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

OvmfPkg/IntelTdx/IntelTdxX64.dsc		diff \| blob \| blame \| history
OvmfPkg/IntelTdx/IntelTdxX64.fdf		diff \| blob \| blame \| history